OAuth 2.0 access management

Secure your APIs with access tokens

The Connect2id server can act as a fully fledged OAuth 2.0
server, for securing web APIs and other protected resources with access
tokens.

All standard OAuth 2.0 grants,
or flows, for obtaining access tokens are supported:

Authorisation code

For traditional web apps as well as mobile / native clients

Implicit

For browser-based applications coded in JavaScript

Resource owner password

For highly trusted clients or if other grant types are unavailable

Client credentials

For clients that act on their own behalf

JWT assertion

For bridging two security domains

SAML 2.0 assertion

For SAML clients that need to obtain OAuth tokens

Bring your own policies

Security architects enjoy plenty of freedom with the Connect2id server:

Apply arbitrary rules and security policies to each OAuth 2.0 grant. These
may be implemented in any programming language, and are applied to the
Connect2id server via its powerful APIs (web or native).

Short (transient) as well as long-lived (persisted) authorisations are
supported. The latter enable end-user consent to be remembered across
requests.

The issued access tokens can be self-contained (encoded as a signed or
signed + encrypted JWT) or identifier based (the authorisation is stored in a
database and queried remotely by secure key).

The token scope can be assigned implicitly.

The lifetime of the issued ID, access and refresh tokens can be controlled
for each individual application and end-user.

Tokens may carry additional data.

Advanced use cases

Version 4 of the Connect2id
server added support for more advanced use cases:

Impersonation — enables a privileged user to log into a client
application under a different identity. May also extend to accessing
protected protected resources (web APIs) as the impersonated identity and
using their permissions.

Delegation — enables one user to act on behalf of another.

Token management

The Connect2id server provides web-based endpoints to manage the entire life
cycle of a token:

Support for distributed apps

Applications that are distributed within and across data centres are easily
catered for by the Connect2id server. This is accomplished with self-contained
access tokens (JWT) which take only a fraction of a millisecond to verify and
clear the request.

Applications with limited / unreliable connectivity can also benefit from this
approach.